Users often quickly click through website “I Agree,” “Continue” and similar buttons without actually reading the terms of use/terms of service they are agreeing to, simply to get to the desired content or service. Likewise, businesses rely on users blindly agreeing to their terms without pushback or negotiation. Even though it seemingly appears that users are agreeing to the businesses’ terms, businesses must remain current and attuned given the multitude of successful legal challenges against well-known large companies that strike down terms for not being properly presented to users and as being unenforceable. Aside from the obvious desire for businesses to have their terms upheld overall, businesses have even more at stake in having their terms upheld, in particular, thee arbitration and class action waiver terms. This is especially important with respect to litigation in the US and especially with respect to the California Consumer Privacy Act (“CCPA”) and upcoming copycat state laws.

Under the CCPA, there is a private right of action that can be triggered where there is a breach of certain categories of unencrypted personal information resulting from a business’s failure to “implement and maintain the reasonable security measures. A consumer can file a civil action to recover the higher of either: 1) actual damages; or 2) statutory damages between $100 and $750 per consumer per incident. This can add up even for a small data breach. What’s notable here is that by creating a right to statutory damages for each violation, the CCPA makes it much easier for a consumer than ever before to recover damages, because proving actual damages in a data breach can be and has been difficult, if not impossible. Now that California consumers no longer need to prove actual damages, this is all but certain to increase class action litigation.

To mitigate these risks, CCPA-covered businesses not only need to focus on ensuring their terms are enforceable and include class action waivers but they also need to address what reasonable security measures are specific to their data processing activities, encrypt the types of personal information that are covered under the private right of action, and supervise vendors whose inaction or sloppiness could draw them into a consumer lawsuit. Vice versa, vendors should also take note of this risk and expect to see more robust indemnity clauses in agreements.

Especially if your company is a business-to-consumer company, your terms of use should have an enforceable class action waiver. It has yet to be seen if the language in the CCPA will prevent these waivers from being enforceable, but generally we believe that the Federal Arbitration Act may preempt the CCPA so long as there is a valid and enforceable agreement to arbitrate.

Looking at recent cases, there are certain ways to increase the chances of the terms being enforceable.

  • When the user signs up, ideally, you should draw attention to the terms of use AND the arbitration and class action waiver separately with links that are clearly identifiable as being a link, with different colors and underlining.
  • In order to meet the standards set forth by some courts, ideally you should require users to scroll-through, highlighting waiver language in some conspicuous font, and/or include a confirmatory button. Again some may see this as being in tension with business objectives so you need to balance the risks.
  • The language regarding what the user’s action (e.g. By clicking….you agree to …) should be in a darker color that contrasts with a lighter background and the font should be of a sufficient size.
  • For evidence in any future disputes, businesses should retain and archive records of each version with their associated dates. Save screenshots or videos of how the terms were presented to the user.
  • Engineering and legal should ensure as much consistency in the manner of agreement across all platforms.

Businesses should ensure that their attorney has the opportunity to approve of changes to user interfaces for user agreements and choices before engineers implement a modification.